Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

1) (Currently Amended) A method for determining compliance with 
organizational business policies associated with a business risk, said method comprising: 

a. a computer receiving a user selection of a business risk 
element[[s]] from a business risk element list which is displayed to 
the user , said business risk element[[s]] list being retrieved from a 
database coupled to said computer; 

b. in response to the selection of said for e ach business risk element, 
the computer retrieving one or more predetermined control 
procedures, the control procedures identified by an administrator 
as a means for complying with business policies associated with 
said selected business risk element; 

c. the computer associating said one or more predetermined control 
procedures with said selected business risk element, said 
predetermined control procedures being stored in said database; 

d. in response to the retrieving of the control procedures, the 
computer retrieving a weight assigned to each one of said 
predetermined control procedures, said weight being stored in said 
database; 

e. the computer receiving a user selection of a compliance rating for 
each said predetermined control procedure, the rating selected by 
the user indicating a level of compliance with each one of said 
predetermined control procedures, for each of said predetermined 
control procedures the level of compliance is a subjective rating 
selected from a rigid set of compliance ratings, the same set of 
compliance ratings is available for each of said predetermined 
control procedures; and 
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f. the computer calculating a compliance score, said compliance 
score being a function of said assigned weights and said 
compliance rating of said predetermined control procedures. 

2) (Previously Amended) The method of claim 1, wherein said compliance 
ratings comprise at least one rating identifying a non-fully compliant control procedure, 
said method further comprising the steps of: 

a. for each said control procedure having a non-fully compliant 
rating, the computer receiving a user generated signal indicating 
whether said non-fully compliant rating is accepted or not 
accepted; and 

b. for each said non-fully compliant control procedure which is 
indicated as not accepted, requiring the user to provide signals for 
generating an action plan. 

3) (Previously Amended) The method of claim 2 wherein said action plan 
include a target date, said method further comprising the step of the computer calculating 
an expected compliance score for one or more future dates based on said action plan 
target dates. 

4) (Previously Amended) The method of claim 3 further comprising the step 
of the computer tracking whether said expected compliance scores have been met, said 
tracking including calculating actual compliance scores for said target dates. 

5) (Previously Amended) The method of claim 4 further comprising the step 
of the computer displaying said expected compliance scores versus said actual 
compliance for said target dates. 

6) (Previously Amended) The method of claim 1 further comprising the step 
of the computer associating one or more parameters with each said compliance rating. 

7) (Original) The method of claim 6 wherein said one or more parameters 
are selected from the group comprising organization, business line, process, and region. 

8) (Previously Amended) The method of claim 6 further comprising the step 
of the computer sorting said compliance scores by said one or more parameters. 

9) (Previously Amended) The method of claim 8 further comprising the step 
of the computer displaying said sorted compliance scores. 
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10) (Currently Amended) A method for determining compliance with 

organizational business policies associated with a business risk, said method comprising: 

a. a computer receiving a user selection of a business risk element 
from a business risk element list which is displayed to a user on a 
display terminal of the computer, said business risk element list 
being retrieved from a database coupled to said computer; 

b. in response to the selection of said business risk element, the 
computer identifying one or more subrisk elements associated with 
said business risk element, each said subrisk element being 
retrieved from said database; 

c. for at least one subrisk element, the computer retrieving one or 
more predetermined control procedures, the control procedures 
identified by an administrator as a means for complying with 
business policies associated with said identified subrisk element; 

d. the computer associating said one or more control procedures with 
said subrisk element, said control procedures being stored in said 
database; 

e. the computer retrieving a weight assigned to each one of said 
predetermined control procedures, said weight being stored in said 
database; 

f. the computer receiving a user selection of a compliance rating for 
each said predetermined control procedure, each said compliance 
rating is a subjective rating selected from a rigid predetermined set 
of compliance ratings, the same set of compliance ratings is 
available for each of said predetermined control procedures 
including at least one rating indicating said control procedure is not 
fully compliant; 

g. the computer calculating a compliance score, said compliance 
score being a function of said assigned weights and said 
compliance rating of said control procedures; 
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h. for each said subrisk, the computer determining whether at least 
one control procedure associated with said subrisk is not fully 
compliant; 

i. for each said subrisk associated with at least one control procedure 
which is not fully compliant, the computer receiving a signal from 
the user indicating whether said subrisk should be accepted or not 
accepted; and 

j. for each said subrisk which is indicated as not accepted, the 
computer generating an action plan. 

11) (Previously Amended) The method of claim 10 wherein said action plan 
further includes a target date, said method further comprising the step of the computer 
calculating a future compliance score based on said action plan target dates. 

12) (Previously Amended) The method of claim 10 further comprising the 
step of the computer associating one or more parameters with each said compliance 
rating. 

13) (Previously Amended) The method of claim 12 further comprising the 
step of the computer sorting said compliance ratings and displaying said sorted ratings. 

14) (Currently Amended) A method of forecasting compliance with 
organizational business policies associated with a business risk with the aid of a computer 
system, said method comprising: 

a. the computer identifying a set of business risk elements, said 
business risk elements being stored in a database coupled to said 
computer; 

b. for at least one of said business risk elements, the computer 
retrieving one or more predetermined control procedures, the 
control procedures identified by an administrator as a means for 
complying with business policies associated with said business risk 
element; 

c. the computer associating said one or more control procedures with 
said business risk element; 
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d. the computer retrieving a weight assigned to each one of said 
predetermined control procedures, said weight being stored in said 
database; 

e. the computer receiving a user selection of a compliance rating for 
each said predetermined control procedure, said compliance ratings 
are subjective ratings chosen from a predetermined rigid set of 
ratings over a uniform range, the same set of compliance ratings is 
available for each of said predetermined control procedures, 
including at least one rating identifying a non-fiilly compliant 
control procedure and at least one rating identifying fully 
compliant control procedures; 

f. for each said control procedure having a non-fiilly compliant 
rating, the user employing the computer to generate an action plan, 
said action plan including a target date for at least one action listed 
therein; and 

g. the computer calculating an expected compliance score for a future 
date, said expected compliance score being a function of said 
assigned weights, said fully compliant control procedures, and said 
action plan target dates for said non-fiilly compliant control 
procedures. 

15) (Original) The method of claim 14 wherein said action plan comprises a 
signal indicating whether said non-fiilly compliant rating is accepted or not accepted, said 
expected compliance score further being a function of said non-fiilly compliant ratings 
which have been accepted. 

16) (Currently Amended) A data processing system for determining 
compliance with organizational business policies associated with a business risk, said 
system comprising: 

a. a database; 

b. a processor coupled to said database, said processor being 
programmed to perform the steps comprising: 
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i. the computer receiving a first signal identifying a user selection of 
a set of business risk elements from a business risk element list 
which is displayed to a user , said business risk elements being 
stored in said database; 

ii. the computer receiving a second signal identifying a user selection 
of one or more control procedures associated with each said 
business risk element, said control procedure comprising a means 
for complying with business policies associated with said risk 
elements, said control procedures being stored in said database; 

iii. the computer receiving a third signal assigning a weight to each 
said control procedure, said weight being stored said database; 

iv. the computer receiving a fourth signal identifying a user selection 
of a compliance rating for each said control procedure, for each of 
said predetermined control procedures the compliance rating is 
selected from a rigid set of compliance ratings, the same set of 
compliance ratings is available for each of said predetermined 
control procedures; and 

v. the computer calculating a compliance score, said compliance 
score being a function of said assigned weights and said 
compliance rating of said control procedures. 

17) (Previously Amended) The data processing system of claim 16, wherein 
said compliance ratings comprise at least one rating identifying a non-fully compliant 
control procedure, said processor being further programmed to perform the steps 
comprising: 

a. for each said control procedure having a non-fully compliant 
rating, the computer receiving a signal indicating whether said 
non-fully compliant rating is accepted or not accepted; 

b. for each said non-fully compliant control procedure which is 
indicated as not accepted, the computer receiving an action plan, 
said action plan including an expected target date for 
implementation and an expected compliance rating; and 
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c. the computer generating one or more future expected compliance 
scores, said compliance scores being a function of said target dates, 
said assigned weights and said expected compliance rating of said 
control procedures. 

18) (Original) The data processing system of claim 16 further comprising a 
computer display coupled to said processor, said processor further being programmed to 
display said compliance scores on said computer display. 
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